Opened 10 years ago
Last modified 10 years ago
#11 reopened defect
VHost/IP-Mismatch may allow for access to unintended VHosts
Reported by: | Daniel Kahn Gillmor | Owned by: | Daniel Kahn Gillmor |
---|---|---|---|
Priority: | major | Component: | code |
Version: | 5.10 | Keywords: | test-needed |
Cc: |
Description
Due to a problem with the way VHost configurations are matched to the connection it is possible that on a configuration with multiple IPs (e.g. IPv4/IPv6 or multiple IPv4) an attacker could issue a request on one IP address of the server which requests a VHost that should only be available on a different (possibly private) IP address.
Additional Information
- Create two VHosts on different IPs.
- VHost A on IP1
- VHost B on IP2
- Open a connection to IP1 requesting a domain only available on IP2 (e.g. B)
- Expected
- Default Fallback VHost of IP1
- Actual
- Some random matching VHost configuration for the domain even if mismatching the IP.
Note that in order to get a configuration of the wrong IP it's enough to have a VHost for Domain A on IP2 as well as IP1 (e.g. the IPv4/IPv6 Dual Stack case). That's also how I noticed this misbehaviour.
Change History (2)
comment:1 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 Changed 10 years ago by
Keywords: | test-needed added |
---|---|
Resolution: | fixed |
Status: | closed → reopened |
I'd like to see a test written for this, though.
benbe said:
dash said: